In 2023, Cisco Talos and partners created a special Backdoors & Breaches card deck to help NGOs improve their cybersecurity skills with practical, easy-to-use training tailored to their needs.

Monday, August 4, 2025 12:00

*   In 2023, Talos collaborated with NetHope and Cisco Crisis Response to create a customized Backdoors & Breaches expansion deck for international humanitarian organizations, addressing their unique cybersecurity challenges. 
*   The new expansion deck helps NGOs with constrained budgets improve proactive security and incident response skills through engaging tabletop exercises that are specific to their technical, political, and logistical challenges. 
*   Hundreds of expansion decks have been distributed to international NGOs, and Talos has received positive feedback for their practicality and relevance. 
*   Building on this success, we partnered with NGO-ISAC to develop a United States-specific deck for domestic NGOs, enhancing their cybersecurity preparedness.

**Humanitarian organizations and the cybersecurity landscape**

Hello friends! My name is Joe Marshall and I work at Cisco Talos as a cyber threat researcher and security strategist. Throughout my travels with Talos, I’ve met extraordinary individuals and organizations who fight injustices in a variety of ways: caring for children, feeding the unhoused, promoting democracy, protecting the environment, or resettling refugees who are fleeing from war. 

In moments of unimaginable crisis and pain, the international non-governmental organization (NGO) folks I met are on the front lines distributing aid, documenting human rights abuses, assisting first responders, and offering comfort to people who have had their worlds upended. I unabashedly admire and respect them. 

Unfortunately, international NGOs have historically struggled in cybersecurity. No matter an NGO’s size, limited donor and grant dollars mean that sustaining the organization competes with delivering aid, leaving little (if any) funding for cybersecurity. As a result, public sector offensive actors, mercenary spyware organizations, and state-sponsored actors take advantage of this to target or financially exploit these NGOs, even though they are assisting some of the most vulnerable people in the world. No one gets a pass in this modern era of cybercrime!

**Helping the helpers**

In 2023, the Cisco Crisis Response (CCR) team — a group that helps local agencies and communities prepare for, respond to, and sustainably rebuild from crises — approached my team at Talos with a rare opportunity to help incorporate cybersecurity into their work alongside their partner, NetHope.

NetHope is a humanitarian assistance organization that “helps our nonprofit Members effectively address the world’s most pressing challenges through collaboration, collective action and the smarter use of technology.” They also host the NetHope Global Summit, a yearly gathering of international NGOs to discuss technical issues and solutions to enable their member NGOs’ missions.

Before this project, I was not well-versed in the challenges of the NGO cybersecurity landscape or operating realities. Every business vertical is unique, and my first few meetings with NetHope forced me to confront the stark realities of the cybersecurity poverty line. With NGOs’ limited cybersecurity budgets, expertise, and resources, I knew our project had to have a low barrier to entry.

After much brainstorming, I suggested that we create an NGO-centric version of the popular cybersecurity tabletop exercise, “Backdoors & Breaches,” to keep workers’ incident response skills sharp.

**What is a tabletop exercise? **

A tabletop exercise (TTX) is a group thought experiment. The “Game Master” presents various scenarios and variables to their players, who are usually team leaders in their business, to see how they respond as a group. At a high level, TTXs are a way to help your team prepare for worst-case scenarios and cost-effectively develop plans and responses to a variety of incidents. As they say, “Fortune favors the prepared.”

For example, a hospital might want to conduct a TTX to develop and test incident response and data recovery if hackers were to attack their electronic health records. An electric utility company might conduct a TTX to test critical infrastructure restoration and coordination with emergency responders. And, of course, a humanitarian assistance organization may need to protect itself against cyber attacks to keep their life-saving work going!

**An introduction to Backdoors & Breaches**

Backdoors & Breaches is a card-based TTX developed and published under a GNU license by Black Hills Information Security. It’s a novel game designed to teach both technical and non-technical players cybersecurity incident response in a format similar to the popular Dungeons & Dragons roleplaying game. Here’s an example of gameplay at the RSA Conference, with the digital version of the game:

If you want to accommodate a specific technical aspect of security, like industrial control systems, the cloud, or threat hunting, you can modify Backdoors & Breaches with expansion decks. Customizing cards to reflect your team's unique circumstances can result in better buy-in and even a higher level of preparedness when a breach occurs.

**Talos and NetHope create a new expansion**

It was this potential customization that attracted me to making a new expansion deck for the international humanitarian community. The concept of Talos and NetHope adapting a cost-effective, portable, and easy-to-understand TTX to fit the limited cybersecurity budgets of typical NGOs was irresistible. To bring this vision to life, I assembled a diverse team of seasoned cybersecurity NGO professionals, technologists, and crisis response specialists who recognized the value in developing new cards.

The result was a new deck that seamlessly merged into the original Backdoors & Breaches game. These unique cards are modeled from real events and speak to the unique technical, political, and logistical challenges that humanitarian assistance organizations may face during cyber attacks. Here are some examples:

__Imagine that an angry mob raids your NGO’s office. You’re trying to do digital forensics, but your team is forced to leave the country! What do you do?__

We presented this new expansion at the NetHope Global Summit in 2023, where participants widely enjoyed it. We found that this expansion pack brought them together in ways the generic deck on its own likely wouldn’t have. Many people shared first-hand experiences with the stressful situations these cards presented, which led to authentic and open conversations on the best responses to the scenarios.

__Presenting the base deck and expansion pack at the 2023 NetHope Global Summit.__

Over the course of several summits, Talos and NetHope have given away hundreds of physical copies of the expansion, and we’ve received a lot of positive reception from the international NGO community. If you’re curious, you can also find the cards online here.

**The U.S. domestic NGO edition**

In a country as large as the United States, there are hundreds of domestic NGOs that operate solely within the country and local communities. The NGO Information Sharing and Analysis Center (NGO-ISAC) is a 501(c)(3) nonprofit organization that focuses on domestic civil society organizations.

Using the momentum of our Backdoors & Breaches international humanitarian expansion pack, Talos partnered with NGO-ISAC to create a new deck that reflects U.S.-specific NGO security situations.

__On-stage demonstration at the__ __Ford Foundation__ __for the NGO-ISAC Conference.__

If the NGO’s team is spread across the country and wants to play, that’s not a problem! Using this GitHub link you can instantiate and connect to a mini web server on your local computer. With a web sharing tool, you can stream it to any size audience and folks can play along virtually. You can easily use Python for this.

**Conclusion**

International and domestic NGOs are critical to aid delivery and civil society, but they’re heavily targeted by threat actors who seek to disrupt or exploit their missions. TTXs like Backdoors & Breaches lower the barrier to entry for organizations to have serious conversations about security posture and response, and NetHope and Talos’ custom expansions provide industry-specific scenarios to enrich the experience.

I feel very fortunate to have had the opportunity to volunteer and donate my time to help NGO workers and volunteers fight the good fight. Whether you’re a threat intelligence organization, an international NGO providing medical care to refugees, or a domestic food bank fighting hunger, Talos is with you.

Backdoors & Breaches: How Talos is helping humanitarian aid NGOs prepare for cyber attacks

JSCEAL malware targets millions using fake crypto app ads to steal wallets and data. Users urged to stay alert and avoid downloading from untrusted sources.

A new cybercrime campaign, dubbed JSCEAL, is actively targeting people who use cryptocurrency apps, reveals the latest research from security research firm Check Point Research (CPR).

The malicious operation, which has been active since at least March 2024, has served more than 35,000 misleading ads in the first half of 2025 alone. Researchers believe the total reach of this campaign is estimated to be around 3.5 million users within the European Union and likely over 10 million users worldwide.

The campaign lures victims with fake ads that impersonate almost 50 popular crypto trading apps. When a user clicks on one of these ads, they are led to a phony website that looks legitimate and are prompted to download an installer file.

This file, which is often signed with a valid digital certificate to appear trustworthy, secretly contains malware. The attackers have been observed to impersonate dozens of different brands, showing how widespread and varied the threat is.

****The Attack****

According to CPR’s report, the JSCEAL campaign shows a multi-layered approach. Instead of a single virus, the attack involves several steps. The malicious installer first runs scripts that collect a wide range of data about the victim’s computer. This information is then sent to the attackers, who decide if the target is valuable. If they are, the final and most dangerous part of the attack is launched, which is the JSCEAL malware itself.

Infection Flow Illustration (Source: CPR)

This malware is a serious threat because it uses an advanced technique called compiled JavaScript (JSC) to hide its code. The attackers use a program called Node.js, a legitimate software environment, to run the malware, which helps it bypass many traditional security systems. As a result, the malicious code can remain “hidden from traditional security solutions.”

****Stealing Wallets and Personal Data****

Once the JSCEAL malware is installed, it can steal sensitive information related to cryptocurrencies, such as credentials and digital wallets. The malware also has a wide range of other capabilities, including taking screenshots, logging keystrokes, and even manipulating web traffic to steal data in real time.

The JSCEAL campaign’s use of new techniques like compiled JavaScript and its widespread reach make it a significant concern for anyone using cryptocurrency platforms. This means users should be extra cautious about where they download applications and to have more reliable security measures in place.

New JSCEAL Malware Targets Millions via Fake Crypto App Ads

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name.

Note that the indicated Severity corresponds to a worst-case usage scenario, e.g. allowing user-supplied data to be sent as-is to the above-mentioned methods.

### Impact
SQLite3 driver.

### Patches
Vulnerability is fixed in ADOdb 5.22.10 (https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03).

### Workarounds
Only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.

### Credits

Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name.

Note that the indicated Severity corresponds to a worst-case usage scenario, e.g. allowing user-supplied data to be sent as-is to the above-mentioned methods.

**Impact**

SQLite3 driver.

**Patches**

Vulnerability is fixed in ADOdb 5.22.10 (ADOdb/ADOdb@5b8bd52).

**Workarounds**

Only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.

**Credits**

Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.

**References**

*   GHSA-vf2r-cxg9-p7rf
*   ADOdb/ADOdb#1083
*   ADOdb/ADOdb@5b8bd52

GHSA-vf2r-cxg9-p7rf: The ADOdb sqlite3 driver allows SQL injection

Cybersecurity threats to local governments are part of life in the digital environment in which people live today.…

Cybersecurity threats to local governments are part of life in the digital environment in which people live today. They include municipal systems, which provide essential services like water, electricity, or even the police and fire, that protect our communities, especially vulnerable ones.

Their precariousness makes them more vulnerable than any other group and thus even more in need of protection. Awareness of these dangers is the starting point for protecting communities and preventing the compromise of local services.

****The Growing Threat Landscape****

Cybercriminals have targeted municipalities and the sensitive information they handle, from citizen data to financial records. Cyberattacks can impact services, with dire consequences for residents. Hackers typically look for the easiest entry path, and local governments often lack the resources to respond.

Local government cybersecurity has not always been a pressing issue, so authorities created many municipal systems with little regard for security. This aspect makes them dependent on extant technology. However, this dependence on older systems introduces weaknesses that nefarious entities can exploit. To add to this problem, technology advances astonishingly, with attackers constantly evolving their tactics to breach those defences.

****Why Municipal Systems Are Vulnerable****

Local governments face a third challenge, probably the biggest: budgetary constraints. Investing in cybersecurity is costly and often battles against other, more urgent needs. For a municipality with tight funds, upgrading systems or using more sophisticated security methods may be challenging, which leaves them vulnerable to attack.

Moreover, municipal workers often receive little cybersecurity training. Without proper education, staff could easily be the next victim of phishing or scams. Most people handle security poorly; hence, it is the weakest part of any security strategy. Knowing and learning everything is essential.

****Potential Consequences of Cyberattacks****

A cyberattack on city systems could have broad and dire effects, ultimately impacting service from emergency response to utility services. Delays or total breakdowns in essential services can upset people and cause safety concerns.

Another notable issue is data breaches. Sensitive pages such as SSN or health records can be captured and impersonated. However, this does more than harm individuals; it can also erode public confidence in local government. It could damage community confidence with repercussions for longer-lasting community relations and governance.

****Strategies for Enhancing Cybersecurity****

Local governments need a proactive approach to protecting municipal systems. They should invest in modern technology. Improving out-of-date infrastructure lowers weak spots and improves general security. Integrating automated systems will enable more efficient threat detection and response.

Training is another critical component. Providing employees with knowledge of cybersecurity threats and measures that they can take to mitigate them can go a long way in preventing successful attacks on the organisation. Frequent training sessions and updates keep staff apprised of evolving threats and how to respond.

Joining forces with outside experts can maintain municipal cybersecurity. Collaborating with cybersecurity companies or other government entities offers expertise and access to unique resources. Such partnerships may result in stronger security strategies customised for local government infrastructures.

****Forwards to Policy and Regulation****

Policy highly influences municipal cybersecurity efforts. Governments can create regulations that develop a minimum security baseline for municipalities. Such policies may require companies to conduct periodic audits of their systems or make employee training compulsory.

Explicit guidelines allow municipalities to streamline their cyber approach. This consistency helps drive regional resilience and enables governments to engage in better communication, collaboration, and cooperation.

****Conclusion****

Protecting city systems from cyberattacks is more important than ever. With a clear understanding of the risks and a plan to address them, local governments can keep essential services running and maintain public trust.

This means updating old systems, training staff, and putting strong policies in place so cities can stay ahead of threats. As the digital world keeps changing, staying alert and adaptable will be key to keeping communities and their services safe.

Local Government Cybersecurity: Why Municipal Systems Need Extra Protection

A new security flaw, LegalPwn, exploits a weakness in generative AI tools like GitHub Copilot and ChatGPT, where malicious code is disguised as legal disclaimers. Learn why human oversight is now more critical than ever for AI security.

A new and unique cyberattack, dubbed LegalPwn, has been discovered by researchers at Pangea Labs, an AI security firm. This attack leverages a flaw in the programming of major generative AI tools, successfully tricking them into classifying dangerous malware as safe code.

The research, shared with Hackread.com, reveals that these AI models, which are trained to respect legal-sounding text, can be manipulated by social engineering.

The LegalPwn technique works by hiding malicious code within fake legal disclaimers. According to the research, twelve major AI models were tested, and most were found to be susceptible to this form of social engineering. The researchers successfully exploited models using six different legal contexts, including the following:

1.  Legal disclaimers
2.  Compliance mandates
3.  Confidentiality notices
4.  Terms of service violations
5.  Copyright violation notices
6.  License agreement restrictions

The attack is considered a form of prompt injection, where malicious instructions are crafted to manipulate an AI’s behaviour. Recently, Hackread.com also observed a similar trend with the Man in the Prompt attack, where malicious browser extensions can be used to inject hidden prompts into tools like ChatGPT and Gemini, a finding from LayerX research.

****Real-World Tools At Risk****

The findings (PDF) are not just theoretical lab experiments; they affect developer tools used by millions of people daily. For example, Pangea Labs found that Google’s Gemini CLI, a command-line interface, was tricked into recommending that a user execute a reverse shell, a type of malicious code that gives an attacker remote access to a computer, on their system. Similarly, GitHub Copilot was fooled into misidentifying code containing a reverse shell as a simple calculator when it was hidden within a fake copyright notice.

Attack Concept Explained (Source: Pangea Labs)

> _“LegalPwn attacks were also tested in live environments, including tools like gemini-cli. In these real-world scenarios, the injection successfully bypassed AI-driven security analysis, causing the system to misclassify the malicious code as safe.”_
> 
> Pangea Labs

The research highlighted that models from prominent companies are all vulnerable to this attack. These include the following:

*   xAI’s Grok
*   Google’s Gemini
*   Meta’s Llama 3.3
*   OpenAI’s ChatGPT 4.1 and 4o.

However, some models showed strong resistance, such as Anthropic’s Claude 3.5 Sonnet and Microsoft’s Phi 4. The researchers noted that even with explicit security prompts designed to make the AI aware of threats, the LegalPwn technique still managed to succeed in some cases.

Test results on LLMs with no system prompt applied. A checkmark means the attack succeeded (Source: Pangea Labs).

****The Importance of Human Oversight****

The Pangea research highlights a critical security gap in AI systems. It was found that across all testing scenarios, human security analysts consistently and correctly identified the malicious code, while the AI models, even with security instructions, failed to do so when the malware was wrapped in legal-looking text.

The researchers concluded that organisations should not rely solely on automated AI security analysis, emphasising the need for human supervision to ensure the integrity and safety of systems that increasingly rely on AI.

To protect against this new threat, Pangea recommends that companies implement a human-in-the-loop review process for all AI-assisted security decisions, deploy specific AI guardrails designed to detect prompt injection attempts and suggest avoiding fully automated AI security workflows in live environments.

LegalPwn Attack Tricks GenAI Tools Into Misclassifying Malware as Safe Code

Newark, United States, 4th August 2025, CyberNewsWire

**Newark, United States, August 4th, 2025, CyberNewsWire**

Early Bird registration is now available for the inaugural **OpenSSL Conference****,** scheduled for October 7–9, 2025, in Prague. The event will bring together leading voices in cryptography, secure systems, and open-source infrastructure. Early registrants can save up to $240 per ticket.

**Registration Information**

Registration packages are designed to reflect the diversity of the OpenSSL Communities, offering options for both essential access and extended participation. Seating is limited, and early registration, available until August 31, is strongly encouraged.

Attendees can **REGISTER NOW**

**Featured Speakers & Programme Tracks**

Confirmed speakers include Daniel J. Bernstein, Research Professor, University of Illinois Chicago; Matt Caswell, President, OpenSSL Foundation; Tanja Lange, Professor, Eindhoven University of Technology; Tim Hudson, President, OpenSSL Corporation, and many more. 

**Participants will engage across four focused program tracks:**

*   Business Value and Enterprise Adoption
*   Technical Deep Dive and Innovation
*   Security, Compliance, and the Law
*   Community, Contribution, and the Future

**Sponsorship Opportunities**

Organisations committed to advancing digital security are invited to explore **sponsorship opportunities** for the OpenSSL Conference. Sponsors benefit from **high-impact visibility**, **meaningful engagement** with technical and policy leaders, and a direct connection to the global cryptographic community.

Sponsorship helps support community participation, collaborative innovation, and the continued development of open, secure infrastructure.

**Scholarships Provided by the OpenSSL Foundation** 

The OpenSSL Foundation is offering a **limited number of scholarships** to support individuals attending the inaugural OpenSSL Conference in Prague. **Read** **more and apply now**.

> “The OpenSSL Library is critical infrastructure, and the OpenSSL Conference reflects our commitment to transparency, accountability, and community-driven direction. Come and meet our team in-person and engage with like-minded community members in influencing how we deliver on the OpenSSL Mission. Users, developers, managers, lawyers, policy makers, researchers – there is content for everyone!” – **Tim Hudson**, President, OpenSSL Corporation

> “The OpenSSL Conference represents a unique opportunity for cryptography and secure communications experts, developers and enthusiasts to gather together and hear talks and discussions on a broad range of topics. I am delighted by the high quality of the sessions that have been submitted to us and the fascinating agenda that has been put together.”– **Matt Caswell**, President, OpenSSL Foundation

**Contacting & Staying Informed**

For questions, attendees may reach out via email at \[email protected\] or **schedule a meeting** with the OpenSSL Conference team. More information can be found on the official OpenSSL Conference website OpenSSL Conference.

**About The OpenSSL Corporation**

The OpenSSL Corporation is a global leader in cryptographic solutions, specializing in developing and maintaining the OpenSSL Library – an essential tool for secure digital communications. The OpenSSL Corporation provides a range of services tailored to assist businesses of all sizes to ensure the secure and efficient implementation of OpenSSL solutions. The OpenSSL Corporation also supports projects aligned with its Mission and Values by providing infrastructure, resources, expert advice, and engagement through advisory committees, particularly in the commercial sector. Collaboration among these projects fosters innovation, enhances security standards, and effectively addresses common challenges, benefiting all our communities.

**Contact**

**MarCom**  
**Hana Andersen**  
**OpenSSL Software Services**  
**\[email protected\]**

Early Bird Registration Now Open for The Inaugural OpenSSL Conference 2025

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.

The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs. 
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-51775

**Apache Zeppelin: Missing Origin Validation in WebSockets vulnerability**

Moderate severity GitHub Reviewed Published Aug 3, 2025 to the GitHub Advisory Database • Updated Aug 4, 2025

**Package**

maven org.apache.zeppelin:zeppelin-shell (Maven)

**Affected versions**

\>= 0.11.1, < 0.12.0

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.

The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.   
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-51775
*   apache/zeppelin#4823

Published to the GitHub Advisory Database

Aug 3, 2025

GHSA-xg8j-j6vp-6h5w: Apache Zeppelin: Missing Origin Validation in WebSockets vulnerability

Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control.

A new and deceptive multi-stage malware campaign has been identified by the Lat61 Threat Intelligence team at security firm Point Wild. The attack uses a clever technique involving malicious Windows Shortcut, or LNK, files, a simple pointer to a program or file, to deliver a dangerous remote-access trojan (RAT) known as REMCOS.

The research, led by Dr. Zulfikar Ramzan, the CTO of Point Wild, and shared with Hackread.com, reveals that the campaign starts with a seemingly harmless shortcut file, possibly attached to an email, with a filename like “ORDINE-DI-ACQUIST-7263535.”

When a user clicks on it, the LNK file discreetly runs a PowerShell command in the background. For your information, PowerShell is a powerful command-line tool Windows utilises for task automation; however, in this attack, it is used to download/decode a hidden payload.

This command is designed to download and decode a hidden payload without triggering security alerts, saving any files, or using macros. The research provides specific file hashes for this LNK file, including MD5: ae8066bd5a66ce22f6a91bd935d4eee6, to help in detection.

The LNK File Analysis (Source: Point Wild)

****The Attack’s Hidden Layers:****

This campaign is designed to be stealthy by using a few different layers of disguise. After the initial PowerShell command runs, it fetches a Base64-encoded payload from a remote server. This is a common way to hide malicious code in plain sight, as Base64 is a standard method for encoding binary data into text.

Once the payload is downloaded and decoded, it is launched as a Program Information File or .PIF file, which is a type of executable often used for older programs. The attackers disguised this file as CHROME.PIF mimicking a legitimate program.

This final step installs the REMCOS backdoor, giving attackers full control of the compromised system. The malware also ensures its persistence on the system by creating a log file for its keystroke recording in a new Remcos folder under the %ProgramData% directory.

Infection Workflow (Source: Point Wild)

****What the REMCOS Backdoor Can Do****

Once installed, the REMCOS backdoor grants the attackers extensive control over the victim’s computer. The threat intelligence report notes that it can perform a wide range of malicious activities, including keylogging to steal passwords, creating a remote shell for direct access, and gaining access to files.

Furthermore, the REMCOS backdoor allows the attackers to control the computer’s webcam and microphone, enabling them to spy on the user. The research also revealed that the command and control (C2) infrastructure for this specific campaign is hosted in Romania and the US.

This finding highlights the need for caution, as these attacks can originate from anywhere in the world. Researchers recommend that users stay cautious with shortcut files from untrusted sources, double-check attachments before opening them, and use updated antivirus software with real-time protection.

New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor

Plus: A former top US cyber official loses her new job due to political backlash, Congress is rushing through a bill to censor lawmakers’ personal information online, and more.

Last week, the United Kingdom began requiring residents to verify their ages before accessing online pornography and other adult content, all in the name of protecting children. Almost immediately, things did not go as planned—although, they did go as expected.

As experts predicted, UK residents began downloading virtual private networks (VPNs) en masse, allowing them to circumvent age verification, which can require users to upload their government IDs, by making it look like they’re in a different country. The UK’s Online Safety Act is just one part of a wave of age-verification efforts around the world. And while these laws may keep some kids from accessing adult content, some experts warn that they also create security and privacy risks for everyone.

Russia’s state-backed hacking group Turla is known for its bold, creative attacks, such as masking their communications via satellite or piggybacking on other hackers’ attacks to avoid detection. The group, which is part of the Russian FSB intelligence agency, is now using its access to the country’s internet providers to trick foreign officials into downloading spyware that breaks encryption, allowing Turla’s hackers to access their private information.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Google Will Start Estimating Your Age Based on Browsing Data**

Google is rolling out an AI-powered age-estimation system to apply content protections to Search and YouTube, even for users who haven’t provided their age. The system is launching in the EU, where digital safety regulations mandate that platforms take steps to protect minors from potentially harmful content.

Instead of relying solely on user-input data, Google says it will infer age using a “variety of signals” and other metadata to determine if a user should be shown restricted results. Privacy advocates say the move risks inaccuracies and raises questions about transparency and consent.

Google claims the changes align with regulatory expectations and will help protect younger users from inappropriate content. Still, the idea that platforms can algorithmically infer personal traits like age—and restrict content based solely on those assumptions—adds a new wrinkle to long-standing debates over moderation, censorship, and digital privacy.

**Army Revokes Former CISA Director’s West Point Appointment After Political Backlash**

Just 24 hours after naming Jen Easterly as West Point’s Distinguished Chair in Social Sciences, the Army rescinded the appointment following far-right criticism. The former Cybersecurity and Infrastructure Security Agency (CISA) director and academy alum had been lauded for her decades of service. But backlash erupted online after activist Laura Loomer claimed Easterly had ties to the Biden-era Disinformation Governance Board.

Nina Jankowicz, who served as executive director of the board, denied having worked with Easterly in a post on BlueSky, calling the episode yet another example of how we’re all living in “the stupidest timeline.”

Nevertheless, Army secretary Dan Driscoll canceled Easterly’s contract and ordered a full review of West Point’s hiring policies. The Army also suspended the practice of allowing outside groups to help select faculty. The reversal marks the second high-profile clash involving former CISA leaders and political pressure following Donald Trump’s revocation of Chris Krebs’ security clearance earlier this year.

****Congress Fast-Tracks Bill Letting Lawmakers Censor Info About Their Homes and Travel****

A bipartisan bill from US senators Amy Klobuchar and Ted Cruz could let lawmakers demand the removal of online posts showing their home addresses or travel plans, Rolling Stone reports. The proposal, which could pass by unanimous consent, is framed as a response to growing threats against public officials—especially after the assassination of Minnesota legislator Melissa Hortman last month.

Watchdogs joined dozens of media outlets in warning that the bill could chill reporting and enable selective censorship. While the legislation includes a nominal exemption for journalists, critics say it remains vague enough to allow members of Congress to sue outlets or demand takedowns of legitimate news stories.

“The Cruz-Klobuchar bill would not provide \[lawmakers\] the protection they seek but would create a powerful new tool that would result in censorship of public discussion and press accountability for their actions,” Daniel Schuman of the American Governance Institute told Rolling Stone. He urged Congress to go “back to the drawing board” and try crafting a bill that protects all Americans’ privacy “without undermining accountability for public officials.”

****Google Bug Let People Quietly Censor Articles From Search****

An alarming vulnerability in Google’s Refresh Outdated Content tool allowed bad actors to selectively scrub individual URLs from search results, 404 Media reports. And there was no hacking required. Journalist Jack Poulson discovered the bug when two of his investigative pieces, including one about a tech CEO’s domestic violence arrest, vanished from Google, even when searched by exact title in quotes.

The exploit involved repeatedly submitting URLs with minor capitalization tweaks. This reportedly confused Google’s indexing engine, which responded by de-listing not just the altered URLs but the original live articles too. Google confirmed the flaw and quietly rolled out a fix, saying it impacted only a “tiny fraction of web pages.”

Free press advocates warn the vulnerability could’ve enabled targeted, silent censorship, especially by powerful actors using reputation management tactics. “If your article doesn’t appear in Google search results,” Poulson said, “in many ways it just doesn’t exist.”

Google Will Use AI to Guess People’s Ages Based on Search History

Cybersecurity is no longer a technical afterthought, thanks to today’s interconnected world. It’s a boardroom imperative. As online…

Cybersecurity is no longer a technical afterthought, thanks to today’s interconnected world. It’s a boardroom imperative. As online threats become more sophisticated and breaches grow costlier, businesses are realising that digital security must be embedded into corporate governance. But what does it mean for cybersecurity to be a board-level priority, and why are many companies still lagging?

Cybersecurity expert Serhii Mikhalap believes the answer lies in mindset. With over nine years of frontline experience, including leading national cyber defence operations and co-founding a cybersecurity startup, Mikhalap has witnessed firsthand the consequences of treating cybersecurity as a checkbox exercise rather than a strategic pillar.

Serhii Mikhalap

****A Career Forged in Critical Response****

Mikhalap began his career in 2016 as an analyst in Ukraine’s national Security Operations Center (SOC). Tasked with responding to advanced persistent threats (APTs) against government and private infrastructure, he developed a nuanced understanding of how threat actors behave.

“We weren’t just identifying malware,” Mikhalap recalls. “We were tracing the motives behind it, mapping out adversaries’ long-term goals and how they infiltrated supply chains.”

By 2020, he transitioned to the commercial sector, initially working as an incident responder and later leading SOC teams at a global cybersecurity provider. His work involved building two SOCs from the ground up, integrating automation, playbook triage, and 24/7 monitoring. Clients included fintech and payment tech companies under tight regulatory scrutiny.

In 2024, Mikhalap co-founded a security-as-a-service startup catering to startups and SMBs in crypto, banking, and transactional tech. His team provides penetration testing, DFIR (digital forensics and incident response), risk assessments, and security audits.

“Cybersecurity is not just about prevention. It’s about response, recovery, and trust. And that trust starts with leadership,” he says.

****Recognizing Excellence****

Mikhalap’s impact hasn’t gone unnoticed. In 2022, he was awarded Ukraine’s national “Znak Yakosti” (Sign of Quality) for his exceptional professionalism in cybersecurity. The award committee highlighted his work in incident response, strategic defence planning, user training, and digital forensics.

In 2023, he was named a Laureate of the national “Award for High Reputation,” honouring his commitment to ethical business practices, responsibility, and quality. These recognitions underscore his credibility as a leader who blends technical rigour with integrity.

****Why the Board Must Own Cyber Risk****

According to Mikhalap, placing cybersecurity on the board agenda is not optional; it’s essential. “Boards oversee strategic risk. And in 2025, cyber risk is strategic risk,” he states.

Yet many boards lack the expertise to understand technical vulnerabilities, let alone align security with business objectives. This creates a dangerous gap.

“The absence of cyber literacy at the top leads to misallocated budgets, underprepared response plans, and overreliance on vendors,” he warns. “Cybersecurity needs to be treated like finance or legal, a domain with its own metrics, language, and accountability.”

He advocates for regular board-level briefings from CISOs or external experts, with a focus on:

*   Compliance obligations
*   Incident response readiness
*   Investment priorities for resilience
*   Current threat landscape and trends
*   Business-critical assets and their exposure

Mikhalap believes that by framing cybersecurity in terms of business continuity and reputational risk, boards can better understand its value.

****The Cost of Inaction****

A recurring theme in Mikhalap’s work is the hidden cost of inaction. “A breach doesn’t just cost money. It erodes trust. It exposes negligence. It can derail an IPO or M&A deal.”

In regulated industries, the consequences are even more severe. Fines, lawsuits, and regulatory bans are all on the table. “But the bigger issue is competitive disadvantage. If your rivals are investing in resilience and you’re not, you’re playing catch-up after the damage is done.”

****Building a Culture of Shared Responsibility****

Mikhalap emphasises that board involvement should go hand-in-hand with cultural change. Security cannot succeed in isolation.

“We need to break down the myth that cybersecurity is IT’s problem. It’s everyone’s responsibility. From HR to finance to product teams, every function needs to understand its role in managing cyber risk.”

To support this, his company offers custom training modules that align security practices with job roles. They also help businesses simulate attacks to test executive decision-making under pressure.

“When leaders go through a simulated breach scenario, they understand the stakes. They realise it’s not just about firewalls. It’s about reputational damage, legal exposure, and business survival.”

****What Progressive Boards Are Doing Right****

Mikhalap highlights a few practices that forward-thinking boards are embracing:

*   Cyber risk as part of enterprise risk management (ERM): Integrating security into broader risk dashboards.
*   Board education: Hosting workshops or onboarding sessions for new members.
*   Independent assessments: Hiring third-party experts to conduct maturity reviews.
*   Scenario planning: Running tabletop exercises for executive teams and directors.
*   Budget alignment: Ensuring security investments match the company’s digital footprint and threat exposure.

He notes that boards don’t need to become cybersecurity experts. But they must ask the right questions and expect clear, actionable answers.

****Anticipating Tomorrow’s Threats****

Looking ahead to 2025 and beyond, Mikhalap sees growing urgency for companies to incorporate cyber strategy into long-term planning. As ransomware, AI-driven attacks, and supply chain breaches increase in scale and complexity, he argues that boardroom priorities must evolve accordingly.

“Cybersecurity is no longer about defending the network perimeter. It’s about managing digital risk across the enterprise. It’s about resilience. And it starts with leadership that understands what’s truly at stake.”

****The Bottom Line****

For Serhii Mikhalap, the message is simple that cybersecurity belongs in the boardroom. Not just during a crisis, but as part of routine oversight.

“If you’re not discussing cyber at the board level, you’re leaving your organisation vulnerable, technically and reputationally,” he says. “Cybersecurity is now a business enabler. Boards that get this right will lead with confidence. Those that don’t will fall behind.”

(Image by Cliff Hang from Pixabay)

Tag

#git